Skip to content

The strange case of Harvest Finance October 21-28

October 29, 2020

Harvest Finance raised a total of up to $ 1 billion in locked assets before an “economic exploit” stalled. The fixed value measure is currently around $ 300 million and the prospects for a recovery are bleak.

The exploit has rekindled debates among members of the DeFi community over whether These types of flash loan arbitrage attacks are actually hacks.

The harvesting characteristics result in yield farms similar to Yearn’s. They issue tokenized vault shares based on the value of user-provided assets. Some of these vaults are based on Curve’s Y group, which increases the liquidity of swaps between USDT, USDC, DAI and TUSD.

The strange case of Harvest Finance October 21-28
The strange case of Harvest Finance October 21-28

Flash loans were used in the attack to convert USDT 17 million into USDC via Curvewhich temporarily raised the USDC price to $ 1.01. The hacker then used another roughly $ 50 million stash borrowed from Flash, which the system valued at $ 50.5 million, to get into Harvest’s USDC vault.

After logging in, The attacker would roll back the previous trade from USDC to USDT to even out the priceand then he would immediately trade his stake in the harvest pools to receive $ 50.5 million in USDC, a net profit of $ 500,000 per cycle repeated so many times that he received $ 24 million in loot.

So is this a hack or not?

There were no technical weaknesses here. This type of “arbitrage trading” missed a review to determine if the price of these stable coins was too different from their expected value. But it was already pretty low and is actually more of a minor drawback than a real blocker: An attacker just needs to use more exploit cycles.

This sequence is risky and still skips many steps

In this regard, proponents of the theory that this is just an arbitrage trade are right: The code does not contain any unintended behavior. It is more like a manipulation of the armed market that is repeated at high speed.

However, The Harvest Finance team took responsibility for this as a design flawwhat is commendable.

In all honesty, I’m not even sure what these semantic debates are about. People lost money in avoidable ways. An audit should have recognized this and identified it as a critical problem.

But it can definitely be argued that it is a different category of failure like re-entry. He emphasizes that these financial building blocks, which are often referred to as the “Lego of Money”, They should be designed with great care on the drawing board.

It’s like someone making a gun out of Lego pieces and people are arguing whether the gun was “made” or “discovered” because the pieces were technically put together as planned.. Either way, Lego parts need to be reworked so that they don’t become a deadly weapon.

Too much trust in cryptocurrency standards

Before the hack Harvest was characterized by an extreme degree of centralization. In its prime, the entire billion dollars could have been stolen from a single address, likely controlled by the anonymous team behind the project. A couple of audits have highlighted this fact and also made it clear that management can designate miners and create tokens at will.

The fans of the project vigorously defended itDue to the timeout, governance key holders could not withdraw money until 12 hours after their intent was signaled They could only print a limited number of tokens.

I will let you judge these arguments. The broader point is that in pursuit of performance, these “degens” ignore the fundamentals of decentralization and know what DeFi is all about.

And I’m not saying that it is bad because of some idealistic principles that I have. It’s from the trains on the carpet. These are the exact circumstances that led to disasters like UniCats.

The crazy story of bZX

Speaking of tricks, I had the pleasure of interviewing the bZX team about their terrible year. They suffered a total of three attacks in 2020, some of which definitely feel more like the “economic accomplishments” mentioned above.

The team is nothing but committed. One story that didn’t make the article was Kyle Kistner jumping over a fence in the middle of the night and entering the condominium where his co-founder, Tom Bean, lived.. Apparently there was a bug that literally needed to be fixed as soon as possible.

Judging from the story Being a DeFi developer is not for the faint of heart or people who like to sleep.

Of course, you can’t help but notice that bZX has been exploited far too often. Definitely as a former Bug Bounty Hunter I could see that their security practices were below average at the beginning of the year (The bug bounty program, for example, was pretty bad) but I saw them fix a lot of their bugs too. Maybe there are other underlying issues, but I think they could eventually recover if no more incidents happen.

DeFis threat to use

A ConsenSys report highlights an issue that has so far been ignored, namely the opportunity cost of gambling in a DeFi environment.

The idea is very simple: money chases the highest returns, and DeFi seems to have plenty of them these days. Even something relatively tame like 20% APY could exceed the potential of 8% betting and validating Ethereum 2.0.

This problem is exacerbated when you consider that in phase 0 of Ethereum, you cannot withdraw or transfer the tokens you have committed to until after phase 1 or 2 arrives. Basically, you’re betting on the team to deliver a full implementation in a reasonable time, and you really aren’t getting that much rewarded for the risk.

In this scenario The more popular DeFi is, the less secure the network isand that’s a big problem.

Fortunately, can largely be solved by staking out derivatives– Liquid tokens that are secured by a security used for staking, a kind of Ether IOU. There is a risk that the underlying collateral will be lowered and the Notes will suddenly be worth less. The good thing for the network is that in this case only DeFi is affected, which restores the natural hierarchy of importance.

However, this shows how many unwanted interactions there could be in the future. DeFi can get extremely complex by itself, and if people don’t fully understand it, the consequences can be dire.